Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 07:38
Behavioral task
behavioral1
Sample
64d71d6cb8041fbb44975daa669ed125.exe
Resource
win7-20231129-en
General
-
Target
64d71d6cb8041fbb44975daa669ed125.exe
-
Size
4.8MB
-
MD5
64d71d6cb8041fbb44975daa669ed125
-
SHA1
c08dabc7e47c9bd4c950b4b37e1cb09cb264f9c7
-
SHA256
0970c65085942cac294377272eadf9a2facf73f5f16bb6986062bbff22a1455c
-
SHA512
e3f32899b25d269ffbf2e75e400d6fa785cfc7efce827a16a2b1f563318424eb6cac1b643500756167a816869d2df6240ab23ae95fc77be3cb7c9b2ad9e36d08
-
SSDEEP
98304:2agnJlfqwra+MAZp5HxBIITBQmg0kgwJjMTciS64qSPdq0fPW2spuro:2Rff2+M+BI6QWkgIScUX23k
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 12 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0006000000023112-21.dat acprotect behavioral2/files/0x0006000000023104-27.dat acprotect behavioral2/files/0x000600000002310f-29.dat acprotect behavioral2/files/0x000600000002310b-33.dat acprotect behavioral2/files/0x0006000000023113-36.dat acprotect behavioral2/files/0x0006000000023106-39.dat acprotect behavioral2/files/0x000600000002310e-41.dat acprotect behavioral2/files/0x000600000002310c-45.dat acprotect behavioral2/files/0x0006000000023110-47.dat acprotect behavioral2/files/0x0007000000023100-51.dat acprotect behavioral2/files/0x0006000000023107-53.dat acprotect behavioral2/files/0x0006000000023114-58.dat acprotect -
Loads dropped DLL 13 IoCs
pid Process 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe 3232 64d71d6cb8041fbb44975daa669ed125.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0006000000023112-21.dat upx behavioral2/memory/3232-23-0x0000000075570000-0x000000007598E000-memory.dmp upx behavioral2/files/0x0006000000023104-27.dat upx behavioral2/memory/3232-30-0x00000000754B0000-0x00000000754D3000-memory.dmp upx behavioral2/files/0x000600000002310f-29.dat upx behavioral2/memory/3232-32-0x00000000754A0000-0x00000000754AC000-memory.dmp upx behavioral2/files/0x000600000002310b-33.dat upx behavioral2/memory/3232-35-0x0000000075480000-0x0000000075496000-memory.dmp upx behavioral2/files/0x0006000000023113-36.dat upx behavioral2/memory/3232-38-0x0000000075430000-0x000000007543C000-memory.dmp upx behavioral2/files/0x0006000000023106-39.dat upx behavioral2/memory/3232-42-0x0000000075420000-0x000000007542F000-memory.dmp upx behavioral2/files/0x000600000002310e-41.dat upx behavioral2/memory/3232-44-0x00000000751C0000-0x0000000075412000-memory.dmp upx behavioral2/files/0x000600000002310c-45.dat upx behavioral2/memory/3232-48-0x0000000075190000-0x00000000751BB000-memory.dmp upx behavioral2/files/0x0006000000023110-47.dat upx behavioral2/memory/3232-50-0x00000000750F0000-0x0000000075181000-memory.dmp upx behavioral2/files/0x0007000000023100-51.dat upx behavioral2/memory/3232-54-0x00000000750D0000-0x00000000750E9000-memory.dmp upx behavioral2/files/0x0006000000023107-53.dat upx behavioral2/memory/3232-56-0x0000000075570000-0x000000007598E000-memory.dmp upx behavioral2/memory/3232-57-0x00000000750A0000-0x00000000750CB000-memory.dmp upx behavioral2/files/0x0006000000023114-58.dat upx behavioral2/memory/3232-60-0x00000000754B0000-0x00000000754D3000-memory.dmp upx behavioral2/memory/3232-61-0x0000000074F80000-0x000000007508F000-memory.dmp upx behavioral2/memory/3232-62-0x0000000075570000-0x000000007598E000-memory.dmp upx behavioral2/memory/3232-63-0x00000000754B0000-0x00000000754D3000-memory.dmp upx behavioral2/memory/3232-64-0x00000000754A0000-0x00000000754AC000-memory.dmp upx behavioral2/memory/3232-65-0x0000000075480000-0x0000000075496000-memory.dmp upx behavioral2/memory/3232-68-0x00000000751C0000-0x0000000075412000-memory.dmp upx behavioral2/memory/3232-67-0x0000000075420000-0x000000007542F000-memory.dmp upx behavioral2/memory/3232-66-0x0000000075430000-0x000000007543C000-memory.dmp upx behavioral2/memory/3232-69-0x0000000075190000-0x00000000751BB000-memory.dmp upx behavioral2/memory/3232-70-0x00000000750F0000-0x0000000075181000-memory.dmp upx behavioral2/memory/3232-71-0x00000000750D0000-0x00000000750E9000-memory.dmp upx behavioral2/memory/3232-72-0x00000000750A0000-0x00000000750CB000-memory.dmp upx behavioral2/memory/3232-73-0x0000000074F80000-0x000000007508F000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.ipify.org 8 api.ipify.org -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2080 wrote to memory of 3232 2080 64d71d6cb8041fbb44975daa669ed125.exe 90 PID 2080 wrote to memory of 3232 2080 64d71d6cb8041fbb44975daa669ed125.exe 90 PID 2080 wrote to memory of 3232 2080 64d71d6cb8041fbb44975daa669ed125.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"C:\Users\Admin\AppData\Local\Temp\64d71d6cb8041fbb44975daa669ed125.exe"2⤵
- Loads dropped DLL
PID:3232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD52ebf45da71bd8ef910a7ece7e4647173
SHA14ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457
-
Filesize
42KB
MD509c52add7abd44eded770115352f2f41
SHA148f44e158bdf2f6a1329fac4df96dc18aa84a88f
SHA2569255d3f6217ba0e7ad4be558798764ccf6a796b143c6e12ef639692f5198558f
SHA512ed97478c35b495598ea0e2a9ec35fa75a3cc2ae68abbf74f768d90d5e4b7b637f716c865e4d5a2c8c3b217696598a12abf748c64395d5517c765bb2e2ff52af8
-
Filesize
50KB
MD5f63b6453662fd08af9c442a0bbb85308
SHA181721fbd1579a6af44677ed1573d7c5f1ed7ec7e
SHA256b88ff4a52a6d3529f7d36dfd530bfd206ebf2ac7c171f7d06f9cc3345a57209e
SHA5121edb1fa0106f7651b34e9e89a2a3f0a27ff0d0f456ba63b4ee3e65d2db073144c792369219e45afb50febd23d80020320aa1d4b37b2d790e839ee70ec13b2ab7
-
Filesize
23KB
MD58268a89d1d90fdd9a747fea7f1ccbc20
SHA11fcb3558e6577a289dac4114c0223156087c77eb
SHA2567e30c7a03c4df99bbb1d316409ee0aec698c56fc7f87ff6b0f6185173692a525
SHA5120db082b4a11ab410601fbc165de719853ebadfa140e597f07d3d562db4d5bd44f5af1ed185a866588935a8d49afd7440fee7f51e038bea639153d8bf41e97ecb
-
Filesize
79KB
MD5c06a1015d4bceaaabe9b8e8fa9c5590b
SHA152b802ac7e6723a2c668f173bb217bb085810d6d
SHA256bb92c27f5bcdebe81ad2f6404552690349c909d7af460bd7067479cba6881ea7
SHA5127f12fb2747a9dc73f2719f7e1deb45c0ae482c7ef406d76cdcbd25357b97374405115f21efb79c23ed3976d4fb2067d44773dc7313f63b78d3bd0d41037f3173
-
Filesize
34KB
MD5cedd8543545b42279837d0b08c39363b
SHA16d593892d452723ba54a2970463537fc33979bed
SHA2565bb719c09e9c2bb8f6fa9a3b6ff0a932f9291a6263d621b8a96201e9b895260a
SHA51294a306725417660ea9e3eb9c40bad04140ef22f09a3844ddc4024b1464dd02e2c1fdebddeddb1ba7f215c51b2538690ded1dc374c1fd0c6f1024b45728549046
-
Filesize
53KB
MD5a868bcaa557f6b6093eb4f60e4569c42
SHA18654b06e306312becffac03a2fd09deb34dc13d3
SHA2561289aa6c9244f3832f2953bf5bf5e43d7a258557113aba16e53909773875ec77
SHA51294c3e55d516d1c846e970774474669ac581e199b231182f579cbed8276f45096960bc67ff30aa2ddc58e775f1d8ff646083ab9371a3077bc3db52318193f4000
-
Filesize
759KB
MD55b9dbac77705ebeafb101b3f9b0fb50f
SHA16bb77af71ea5a2059d77779334674462fe7419df
SHA256db13fc22122682b641e2f3eb1ff402255136fb27edabf0d6a317ae090730f570
SHA5121ee42d058b8c1e1eaea03de954dd69f40dcf60ff171421c2add1e52185484a63be7fff05e2bfcb8d50fa298ff9f1db62dff10a4cb975d28d903c70b34dfe0e5c
-
Filesize
735KB
MD5dfb4e027ca2a25250ca39392bedf33f3
SHA1a82e9947aa2ede6773522758382c72fb26b026a5
SHA25647fe61d2c06325cdf638b9d4b751a1f028c796a18b55bd07ef7578f028077eb8
SHA512e72bd597fcc6fb01d3849c9f792e6046b1efdc2a8d61339cc3432826c3eb9fac158d03005daadb366617b05d778689330e01278caece037fa84ed9ac6118dc88
-
Filesize
22KB
MD5bd6cae5d2914cbd29080c3f37293c944
SHA169254f47b2cb0c319dde36f79561dc1bd11aa66d
SHA2560307d65c5ff0f171f99e26cde1aee5019361be7d4cd72603880ffec3d5e7ce56
SHA512c1d052ce66331981f8e73fb862cbbd80e20bd2808ba52174d64e8bef6008bca33e71f63d1f36d493da841a254c57e8f17851252fa5073fc68fe0ea91a48f782b
-
Filesize
165KB
MD5a872be59b61ab012c85c108582230fd2
SHA10e91ab548da481ea497838f89aecc0a948ce72f8
SHA256c7445a62a7e884d8c1140c51e321b5b03334d87f4f5d9cd6006cdfa10e02bb6a
SHA5123f3cdbc4fbfb551a9e7aff3c7d7a34d46cabb90ca8c7e4794d4d84d178ee4fe1a4f28a606002a995e717391b8317be905e599217b65013dc27266c219f1c71be
-
Filesize
1.2MB
MD54a8154061167ba8b8185219b64ef53b9
SHA1e257578c2b7bcb6c69402c1abe64a3c9a614fd83
SHA256cd90fef028747cabee6300bb8661be54933d58ca3800bb7e0349ab7ffee25866
SHA512a583b03644e81114b82452bdca3a1ecf65d13b22e74c6f51539ab158249ae10f77b247b2bfda79a70678c05db8f5ff765e1fb6788cf89d4a8f9750db71d81ec7
-
Filesize
19KB
MD599f9d89add39c6e589d5d4c076e12ca6
SHA15a370cb3295fd5e72023ec844a347a9b47640c2b
SHA256dc95c6e11e197545ce40a56f102c380cfa36d3181497074313c19e2876180fce
SHA5127b991937d3f14a07d0ce78c561d891d605f61c6169be99bd39cf9d1550ad38459d54602947533678afbc41d58559299bed63c065a07ab0563636b807b0629b28
-
Filesize
277KB
MD5b25cdf18204d4b6b76d9894b36113e64
SHA1e74fa6bed5881337321771f78dcd118f8448eb5d
SHA256d09e4fe7e7a39dcb7066ad22072a36100405a22f1c716f46499f0f78d96116ae
SHA512016a0a538a85fbdae09e0dc31339ace1262e9c237804a0758b4157c48a831fa3f7b65e0d616992d442378c0986ff0d373e6bffa8b9bb84d5995fbb4633ac6ece